CN1612149A - Mail servo accessing safety authentication method and IC card authentication hardware - Google Patents
Mail servo accessing safety authentication method and IC card authentication hardware Download PDFInfo
- Publication number
- CN1612149A CN1612149A CN 200310103378 CN200310103378A CN1612149A CN 1612149 A CN1612149 A CN 1612149A CN 200310103378 CN200310103378 CN 200310103378 CN 200310103378 A CN200310103378 A CN 200310103378A CN 1612149 A CN1612149 A CN 1612149A
- Authority
- CN
- China
- Prior art keywords
- card
- authentication
- hardware
- mail server
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Information Transfer Between Computers (AREA)
Abstract
The invention relates to a mail server logon safety certifying method and IC card certification hardware, arranging an ICCID and a GLN in an IC card, placing the IC card in an IC card reader, installing them on a hardware compatible with computer USB interface or PS2 socket or having wireless communication and infrared transmission, thus acting as a certification hardware, and the user assures his source identifiability and mail data secrecy all the more by comparing embedded-in program of IC card with control and management using safety control mechanism; because the IC card and IC card reader are easy to be arranged in a general computer peripheral hardware, it makes their application side wide and also able to act as storage medium, thus making it have data accessing secrecy, safety and flexibility.
Description
Technical field
The present invention relates to a kind of mail server and login safety certifying method and IC-card authentication hardware, refer to that especially a kind of authentication hardware that utilizes logins the high security of media and the design of high value as mail server.
Background technology
In global commerce environment with keen competition, e-Mail is information transmission and the indispensable main force's instrument of commercial affairs contact, occupied up to about 70% enterprise network resource and used, and grows up fast with 500% ratio every year.Estimate according to the CNET magazine, at the bottom of calendar year 2001, the e-mail accounts number has been broken through 1,000,000,000 high pointes, if received the estimation of 20~30 envelopes letter in average one day with each E-mail, tens billion of envelope Emails will be arranged so in various transmission over networks every day, this shows Email shared importance in present world-wide web.
Traditional mail transfer protocol (SMTP:Simple Mail Transfer Protocol) does not have the function of user's authentication, and this is had the inclination personage's abuse passing on a little for advertisement matter or spam quite easily.And do not have the mail conveyer system of identity authentication function, also cause system management or network management personnel, the difficulty when the handling problem mail is followed the trail of.
Therefore most mailing system is all refused to pass on mail (mail relay) for the user beyond the inner believable zone, but this restriction has also caused the inconvenience in legal user's use.
After for example going on business or coming home from work, can't continue to use the mail server of company to post a letter.The student can not use the mail host of school to send mail after having a holiday or vacation and leaving school.
To address this problem in the past, and must buy some expensive commercial papers servomechanisms, so that before the user sends mail, carry out the authentication of identity earlier.But use method of the present invention now, a kind of easy-to-use authentication hardware of arranging in pairs or groups, by embedded program of IC-card and the peace control mechanism that authentication is established on the hardware, collocation CA status authentication servomechanism just can effectively protect and authenticate, and can reach the status authentication function that business software in the past just has.
Moreover it is generally known, on network, carry out the function of any member system, comprising and login mail server (Mail Server), all is from establishing one group of password or establishing one group of password at random by servomechanism itself and give the user, owing to be to carry out information information encipherment at the webpage servo driver end; Even enforcement encipherment; in order to prevent leaking of communication network internet information, the program and the logic of research and design encipherment technology arranged, wish can resist mutually with the hacker technically; yet can't accomplish still on present situation to prevent completely that this computer of significantly pointing out to have only cryptoguard is safety inadequately.
Login mail server (Mail Server) at present, all only on webpage, directly login user's title and password, if the two conforms to, just can pass through mail server (Mail Server), go to carry out the action that legal use can be carried out with this login user's data, even can inquire user's some relevant confidential datas and mail dealing record; But with the coding techniques that general mail server today (Mail Server) is adopted, doing the action of password encoding and decoding separately on mail server (Mail Server), is can't guarantee not by hacker cracks really.Today world-wide web boundless, for facility is used the demand that can both surf the Net that reaches whenever and wherever possible, make the user can utilize different computers or other equipment online easily in a lot of places, illegally used and can't be followed the trail of problems such as illegal user with regard to being easy to derive password, for example utilize the unility computer online in library, or surf the Net in the Internet bar, owing to use the user of same machine numerous, if inadvertent, its user's title and password are retained in the words of forgetting deletion in the login screen, just backdoor programs that is easy to be usurped by next user or is utilized some simple and easy operating systems by the hacker etc. is brought and is cracked and usurp its confidential data, carry out the illegal act that non-legal user authorizes, so that user's loss.
In addition with cryptosecurity that existing world-wide web was adopted, wherein especially with: " hacker cracks user cipher in Dictionary Attack mode, the fake user identity " the most general, generally other knows, mode with input user ID and password logs on computer system, or the website of logining member system is the simplest but is least safe mode also.
Its reason is as follows:
1, common people select the foundation of password, are based on convenient memory, and the few can select a string any arrangement and be mingled with English alphabet and the password of numeral.Famous cryptography great master Daniel Klein claims that with general dictionary attack method (Dictionary Attack), the password on 40% computer can be cracked easily.Be studded with at present manyly on the network, the instrument of inside and outside hacker attacks of enterprise is provided by the designed password cracking software of student, system expert and hacker.
2, increasingly sophisticatedization of information system now, the result that many Heterogeneous systemss are connected mutually causes the user when logging on the different computers system, because of the requirement of each operating system, must input password once more.According to expert statistics, have only a few peoples can remember three groups of differences simultaneously and length is the password of eight word strings.Conclusion is, therefore most people can write down password, is placed on the user and thinks the place of safe ready.Obviously, this provides the pipeline of inside and outside hacker attacks of enterprise again.
Even 3 users never offend above 2 errors, but obviously, password is to exist with form expressly before being transferred to servomechanism from user's end.The hacker can be via any point on world-wide web or the LAN, and the intercepting password is palmed off user (Replay) beginning illegal invasion system then.A lot of people think special line of rent, just can be not by hacker attacks.Such idea is wrong.Even special line also is to do circuit switched through public switching systems, and is for the hacker attacks system, more convenient.Because special line is in case after setting up, the route that data flowed is not regular meeting's variation just.So, the hacker more can pooling of resources, is absorbed in the data that flows on the intercepting permanent haulage line.
Moreover: " hacker also can intercept the data that not encrypted is crossed in the point-to-point transmission, and is distorted ", the communications protocol of walking on world-wide web is TCP/IP.Before two computers can data transmission, must finish syllogic earlier and hand over and hold (Three-way Handing Shaking), could set up line, begin the transmission data.The problem that this is wherein hiding but gives the good opportunity of hacker attacks.
Its reason is as follows:
1, for the transmission of both sides' data is a world-wide web by the public, and the data that is transmitted is to exist with form expressly.Any computer that connects world-wide web can be done monitoring (Sniffing) to online data.Thus, individual privacy, property, and the enterprise commerce secret then exposes to the open air fully on world-wide web, has no privacy at all, secret can be sayed.
2, sometimes the hacker for the above-mentioned line of setting up on top of, and palm off former user's identity, with resource on the access remote host and service, can palm off the identity of main frame simultaneously, a large amount of useless data are returned arithmetic capability (the Denial of Service of attempt paralysis user computer system to the user; DoS).Thus, the hacker not only can palm off former user's identity, with resource on the access remote host and service, issues arbitrarily, distorts or the deletion data, and the system operator of host side can't be discovered.More seriously, the hacker revises data in the mode that leaves no trace like this, under the situation that can't confirm message source (user's identity), former user is difficult to from clear.
Moreover:
If the user uses the unility computer online in the public place, all be that LAN (LAN) by this inside, public place connects external network (Internet), on LAN (LAN), with Ethernet-based IP networks is example, and all data (package) all are to flow to all PC in the LAN in the mode of broadcasting (Broadcasting).Because a network card (Network Interface Card) is all arranged on each PC, is not to send to the package of controlling oneself so can filter out.And this wherein hiding problem but gives another good chance of hacker attacks, (data that intercepting is transmitted) on LAN.
Its reason is as follows:
1,, and be to exist with form expressly for all packages all are to flow to all PC in the LAN in the mode of broadcasting (Broadcasting).Therefore, any role that can play the part of prison hearer (Sniffer) on the LAN, generous data of stealing a glance at others of connecting.
2, worse,, then probably logged on system in illegal mode, do some unauthorized things by the people in case someone password is intercepted.For example, sign-off or sign-out official document, change can account, scatter unreal message, sell the rival after stealing the research and development data, or login this user's mailbox, intercepting important email and distort Mail Contents or the like.
Based on above-mentioned, the progressive that reflects importance of the present invention and essence that existing network cipher security breaches are relative, and the existing disappearance of the method that existing mail server is logined has the necessity that is improved.
Therefore, the inventor in view of this, be that the spy concentrates on studies and constantly test discussion of process, finally propose a kind of reasonable in design and effectively improve a kind of authentication hardware of arranging in pairs or groups easy-to-use of above-mentioned disappearance, effectively protection and login security certification system and method via the mail server of the machine-processed double authentication of peace control.
Summary of the invention
The objective of the invention is to solve existing mail server (Mail Server) accessing method it does the action of encoding and decoding cipher separately on mail server (Mail Server); really be to guarantee, have only the safe inadequately disappearance of computing machine of password login protection not by hacker cracks.
For this reason, technical scheme provided by the invention is:
A kind of mail server is logined safety certifying method, wherein: will be built-in with an identity and check integrated circuit (IC) (Integrated Circuit) holding of a private mark integrated circuit card identification code ICCID (Integrated Circuit Card Identification) and an international check code global identity GLN (Global Number) and go in the IC-card reading device (Reader), and be installed on the hardware that generally is compatible to computer as authentication hardware, the method includes the steps of:
Step a: the authentication hardware of user's use device one IC-card and an IC-card reading device (Reader) is logined mail server (Mail Server), the information of the required login of input user, and by login button (Login);
Step b: utilize the embedded program of IC-card that its login process is directed at CA authentication servomechanism, and the ICCID private mark that IC-card is built-in reaches the CA of proof of identification management organization (Certification Authority) authentication servomechanism, judge the whether legal and audit authority of IC-card of authentication hardware by the special program of CA authentication servomechanism, correctly then on CA authentication servomechanism data bank, write down it and login number of times, produce rely on (the Server Result) of an authentication hardware identification success, and the random at random numerical value (Random) that is produced in the passback decode procedure is to IC-card;
Step c: after abovementioned steps is correct, the random at random numerical value (Random) that IC-card utilizes the embedded program of IC-card to obtain is used for the ICCID private mark of decoding built-in, and produce rely on (the Client Result) of IC-card authentication, and its login process is directed at mail server (Mail Server), and with ICCID private mark, the relying on of IC-card authentication (Client Result), the user imports information and reaches mail server (Mail Server) in the lump, allow mail server (Mail Server) judge according to its data bank whether the information of user's input is correct, and inquiry term of life (avail date);
Steps d: after abovementioned steps was correct, mail server (Mail Server) reached CA authentication servomechanism is confirmed authentication hardware and user's information for deciphering once more correctness with the relying on of the ICCID private mark accepted and IC-card authentication (Client Result).
A kind of mail server is logined the IC-card authentication hardware of safety certification, wherein: this IC-card is built-in with an identity and checks a private mark ICCID and an international check code GLN, this IC-card is inserted in the IC-card reading device (Reader), and is installed on the hardware that generally is compatible to computer, as authentication hardware; The authentication hardware of this device IC-card can be the hardware of a general-purpose serial bus USB (Universal Serial Bus) interface.
Wherein, the authentication hardware of this device IC-card can be the hardware of general link PS2 (PublicSwitched a 2) slot.
The authentication hardware of this device IC-card can be the hardware with wireless telecommunications.
The authentication hardware of this device IC-card can be the hardware of an IEEE1394 interface.
The authentication hardware of this device IC-card can be the hardware of an IR (infrared ray) interface.
The authentication hardware of this device IC-card can be a flash memory.
The authentication hardware of this device IC-card can be a PCMCIA (Personal Memory CardInternational Association, personal computer memory card international association) interfare device.
The authentication hardware of this device IC-card can be a keyboard or a slide-mouse or a recreation rocking bar.
The authentication hardware of this device IC-card can be a Web Cam (network camera).
It is numerous that main intention of the present invention comes from existing cyberspace vulnerability, feel at ease to use the protective deficiency of its secret data for user's online, utilize so concentrate on studies an IC-card arrange in pairs or groups one the authentication hardware, and promote the five big information security demands that the electronic data network safe transmission is desired to reach to reach with CA authentication server (peace control mechanism), be:
(1) confidentiality of data (Confidentiality)
Guarantee that data information does not suffer the third party to peep or steal,, can encrypt by data and finish with the privacy of protected data data transmission.
(2) integrality of data (Integrity)
Guarantee that the transmission information data message is distorted by the person who is ambitious or tenacious of purpose,, can encrypt by digital signature or data and be protected to guarantee the correctness of data transmission content.
(3) source identification (Authentication)
Confirm the source of data transmission message, palmed off, can be taken precautions against by modes such as digital signature or data encryptions to avoid the data transmission message.
(4) non-repudiation (Non-repudiation)
Transmit and receive message and avoid the user to deny once carrying out data transmission afterwards, can reach by digital signature and public key architecture.
(5) access control (Access Control)
According to user's identity, make the keyholed back plate of access data.In addition, and can be according to user's identity, the execution authority of decision peace control functions of modules.
The IC-card that the present invention arranged in pairs or groups mainly is that mode burning with firmware is in chip, and the big advantage of storage capacity is arranged, and non-common people's energy self manufacture editor, be difficult for being made by counterfeit robber, its false proof and prevent to be cracked functional strong, can effectively prevent the puzzlement of being usurped by people's malice, and the mutual encryption and decryption of collocation destination mail server (Mail Server) and CA authentication server end and the result who compares of intersecting, more can effectively allow the user move about unhurriedly in the network environment of safety, and can know from experience science and technology and bring the mankind kindness easily.
In addition, adaptation arrangement one IC-card and the authentication hardware of an IC-card reading device (Reader) in it, be to can be generally to be compatible with computing machine USB interface or PS2 slot also or have wireless telecommunications, the hardware of infrared transmission, also can be used to as storing media, for example arrange in pairs or groups on flash memory, and the data that can not make can only be deposited in the fixing hard disk, make it to have more the confidentiality of data access, security and maneuverability, even more can be widely applied to all compatible peripheral hardwares, just can treat as relying on of legal use, its hardware presentation mode is as the utilization of gate inhibition's key, and its use pattern can allow general user accept.
Moreover; another surcharge of utilizing the authentication hardware of collocation IC-card of the present invention is the private key as the individual; when not connecting mail server (Mail Server), it can not protect one-of-a-kind system yet; if the user uses common computer; during the computing machine shared as many people such as the computing machine of office or school computing machine classrooms; also can utilize the present invention to set the authority that reads of Profile; and its release mode has only by the present invention and could unlock smoothly; so can be convenient and safe and comprehensive accomplish the personal information privacy protection, even also the rights of using of peripheral hardware can be pinned and forbid not having the people of rights of using to use.
According to aforementioned, the present invention is via the protection action of above-mentioned several encryption and decryption and coding, can guarantee that the user is in mail server (Mail Server) authenticating safety, and avoid the leakage of user's secret data, and the CA authentication server more can be suitable provides safer and the environment of high-quality protection more for mail server (Mail Server).
The credential management operation of native system is all linked mail server (Mail Server) by the user with the browser online and is carried out relevant operation, sends each solicited message by authentication procedure again and comes to the voucher servo-drive system.User's voucher is confirmed and correlation function can very easily be carried out, and WebServer network server end authentication procedure system installs simply, and the IC-card that the present invention arranged in pairs or groups arranges in pairs or groups easily in general computer peripheral equipment hardware, and application surface should be general.
Compare with the existing method of generally logining mail server (Mail Server), a secret authenticated data and an identity that the present invention has utilized an IC-card to store the user are checked private mark ICCID, and this IC-card is installed on generally is compatible with computing machine USB interface or PS2 slot also or have on the hardware of wireless telecommunications, as authentication hardware, and the authentication procedure of arranging in pairs or groups is in mail server (Mail Server), when the user utilizes this authentication hardware to login mail server (Mail Server), protection action via several encryption and decryption and coding, to guarantee the security of user's login authentication on the website, and avoid the leakage of user's secret data, and can be suitable provide the network environment of safer high-quality protection for mail server (Mail Server).
Description of drawings
Fig. 1 is a flow chart of steps of the present invention;
Fig. 2 is installed on available hardware synoptic diagram for the IC-card of the present invention's collocation;
Fig. 3 is an entity flow guiding synoptic diagram of the present invention;
Fig. 4 is the application implementation illustration of the IC-card of the present invention's collocation;
Fig. 5 is installed on the integration application implementation illustration of PCMCIA interfare device for the IC-card of the present invention's collocation;
Fig. 6 is installed on the integration application implementation illustration of flash memory for the IC-card of the present invention's collocation;
Fig. 7 is installed on the synoptic diagram that flash memory is inserted in computer host housing for the IC-card of the present invention's collocation.
[figure number explanation]
10, authentication hardware
20, CA authentication servomechanism
30, IC-card
40, authentication hardware
50, authentication hardware
60, CA authentication servomechanism
70, mail server
Embodiment
Ought more can understand after below cooperating diagram that embodiments of the present invention are described further.
Figure one is a flow chart of steps of the present invention, comprises a, b, four key steps of c, d among the figure, and another is correct logins and comprised step.1 in the process to five main flow processs such as step.5:
Step a: the authentication hardware of user's use device one IC-card and an IC-card reading device (Reader) is logined mail server (Mail Server), the information of the required login of input user, and by login button (Login);
Step b: utilize the embedded program of IC-card that its login process is directed at CA authentication servomechanism, and with IC-card built-in reach CA authentication servomechanism (step.1) than ICCID private mark, judge whether legal and audit authority of the IC-card of authentication on the hardware by the special program of CA authentication servomechanism, correctly then on CA authentication servomechanism data bank, write down it and login number of times, produce rely on (the Server Result) of an authentication hardware identification success, and the random at random numerical value (Random) that is produced in the passback decode procedure is to IC-card (step.2);
Step c: after abovementioned steps is correct, the random at random numerical value (Random) that IC-card utilizes the embedded program of IC-card to obtain is used for the ICCID private mark of decoding built-in, and produce IC-card authentication rely on (Client Result) (step.3), and its login process is directed at mail server (MailServer), and with ICCID private mark, the relying on of IC-card authentication (Client Result), the user imports information and reaches mail server (Mail Server) in the lump, allow mail server (Mail Server) judge according to its data bank whether the information of user's input is correct, and inquiry term of life (availdate);
Steps d: after abovementioned steps was correct, mail server (Mail Server) reached CA authentication servomechanism is confirmed authentication hardware and user's information for deciphering once more correctness (step.4) with the relying on of the ICCID private mark accepted and IC-card authentication (Client Result).
Now be described in detail above step as follows:
At first step a is meant: the user checks a private mark ICCID and an international check code GLN by the built-in identity of an IC-card, this IC-card is inserted in the IC-card reading device (Reader), and be installed on and generally be compatible to computer USB interface or PS2 slot also or have on the hardware of wireless telecommunications, infrared transmission or the like, as authentication hardware, and utilize this authentication hardware to login mail server (Mail Server) login mode, login its user's title (Username) and password (Password) back by login button (Login).
Step b is meant: after the user inputs its user's title (Username) and password (Password), earlier its login process is directed at CA authentication servomechanism by the embedded program of IC-card and carries out the encryption and decryption action, decipher the value of ICCID private mark earlier by special flow process, and borrow it to compare CA authentication data bank, corresponding ICCID private mark and mandate are by behind the EKI of (Validate=Y), decipher in advance KI, and the result who produces a random at random numerical value (Random) and encrypt with KI is stored in the data bank of CA authentication servomechanism, result after this encryption is rely on (the Server Result) of authentication hardware identification success, and can be in order to write down the number of times that this just uses this authentication hardware to login with the person, confirm the legitimacy of this authentication hardware and the authority whether this private mark ICCID has this website of login, and the authority that is awarded is much, after hardware identification passes through, CA authentication servomechanism can send back IC-card with random at random numerical value (Random) value that is produced, as KEY, be used for supplying mail server (Mail Server) end to pass through behind the second step identifying procedure and CA authentication servomechanism intersection comparison usefulness; And if unauthorized is by (Validate=N Mo Kaika) in comparison result for the ICCID private mark of establishing in the IC-card on this authentication hardware, then system can inform that the user holds the hardware identification failure, and loses the qualification of the login of being open to the custom.This is the identifying procedure of the first step.
Step c is meant: the identifying procedure success of the first step, the general website servomechanism (APServer) of using can receive the KEY value that is sent by CA authentication servomechanism on the IC-card earlier, ICCID private mark, user's title (Username) of user's input and the password of keying in (Password), whether correct, and whether check this user's effective life expired if again its flow process being directed at compare user's name (Username) and password (Password) of mail server (Mail Server).
Steps d is meant: if step c is errorless through comparing, then pass KEY value and ICCID private mark back CA authentication servomechanism and carry out encryption and decryption, decrypt the value of ICCID private mark earlier by special flow process, and borrow it to compare CA authentication data bank, corresponding ICCID private mark and mandate are by behind the EKI of (Validate=Y), and go the EKI value is deciphered with the KEY value, whether comparison conforms to ServerResult, if conform to, then the authentication of second step is passed through, if the user compares to determine it is legal user through intersecting, then could be with legal rights of using by the login inlet, continue to import next step Web Page and the Server Result that encryption and decryption on the CA authentication servomechanism is gone out and empty, so that can produce new Server Result during user's login next time and for temporary, if comparison result does not conform to, then inform mail server (Mail Server) authentication hardware IC CID private mark mistake, authentification failure loses the qualification of the login of being open to the custom, and this is the second step identifying procedure.
Ask three to examine Fig. 2 again, for apparatus of the present invention in available hardware synoptic diagram.
IC-card 30 mainly is that mode burning with firmware is in chip, and the big advantage of storage capacity is arranged, and non-common people's energy self manufacture editor, be difficult for being made by counterfeit robber, its false proof and prevent to be cracked functional strong, can effectively prevent the puzzlement of being usurped by people's malice, and the mutual encryption and decryption of collocation destination mail server (Mail Server) and CA authentication servo driver end and the result of comparison of intersecting, more can effectively allow the user move about unhurriedly in the network environment of safety.
And the authentication hardware 40 of collocation IC-card 30, can be and generally be compatible to computer USB interface or PS2 slot also or have the hardware of wireless telecommunications, also can be used to as storing media, for example arrange in pairs or groups on flash memory, make it to have more the confidentiality and the security of data access, its development in future is very wide.
Fig. 3 is an entity flow guiding synoptic diagram of the present invention, flow guiding when showing actual operation of the present invention among the figure, signing in to formal login from the user finishes altogether through 8 routes, please three examine diagram, route 1 is logined mail server (Mail Server) 70 its user's data of login on the computer of desiring to mail for the user utilizes an authentication hardware (device IC-card) 50 to be installed on, 2 of routes are Member Login form, the user is after input Username and Password, by login button (Login), touch route 3, the embedded program of IC-card just can be directed at its login process CA authentication servomechanism 60 earlier and carry out the encryption and decryption action, and route 3 is an identifying procedure 1 of the present invention (Winsock), the value that decrypts ICCID private mark earlier by special flow process in identifying procedure (Winsock) lining, and borrow it to compare CA authentication data bank, corresponding ICCID private mark and mandate are by behind the EKI of (Validate=Y), decipher in advance KI, and the result who produces a random at random numerical value (Random) and encrypt with KI is stored in the data bank of CA authentication servomechanism, result after this encryption is rely on (the Server Result) of authentication hardware identification success, and can be in order to write down the number of times that this user uses this authentication hardware to login, confirm the legitimacy of this authentication hardware and the authority whether this private mark ICCID has this website of login, and the many people of authority that are awarded, after hardware identification is finished, and then touch route 4, the random at random numerical value (Random) that CA authentication servomechanism is produced sends back IC-card, after IC-card receives this random at random numerical value (Random), the embedded program of IC-card can be earlier will built-in ICCID private mark in advance deciphering and a KI value (whether KI value is not herein examined it is the authentication hardware that mandate is passed through, audit power and comparison power are at CA authentication servomechanism), relend rely on (the Client Result) that produces IC-card authentication to encrypt with the random at random numerical value (Random) that is received, be used for for general use website servomechanism (Ap Server) end carry out second step during identifying procedure and CA authentication servomechanism intersect comparison and use; And if unauthorized is by (Validate=N Mo Kaika) in comparison result for the ICCID private mark of establishing in the IC-card on this authentication hardware, then system can inform that the user holds the hardware identification failure, and loses the qualification of the login of being open to the custom.
And if the words of the identifying procedure success of the first step, will touch route 5, with flow guiding mail server (Mail Server) 70, and this mail server (Mail Server) 70 can receive the ICCID private mark on the IC-card earlier, the relying on of IC-card authentication (Client ResuIt), user's title (Username) of user's input and the password of keying in (Password), whether mail server this moment (Mail Server) 70 is can be earlier correct by compare user's title (Username) and password (Password) of itself data bank, and whether the effective life of checking this user is expired, if it is errorless through comparing, touch route 6 again and carry out identifying procedure, pass the relying on of ICCID private mark and IC-card authentication (Client Result) back CA authentication servomechanism and intersect comparison, decrypt the value of ICCID private mark earlier by special flow process, and borrow it to compare CA authentication data bank, find out corresponding ICCID private mark and authorize authentication hardware identification success by (Validate=Y) rely on (Server Result) after, whether rely on (the Server Result) of the success of comparison authentication hardware identification conforms to rely on (the Client Result) of IC-card authentication, if conform to, then the authentication of second step is passed through, touch route 7, if the user is through intersecting this to determining it is legal user, then could be with legal rights of using by the login inlet, legal in the go forward side by side action of line access mail data of mail server (Mail Server) 70 receiving and dispatching mails, and the Server Result that encryption and decryption on the CA authentication servomechanism is gone out empties, this is a final step, route eight; And, then inform mail server (Mail Server) 70 authentication hardware IC CID private mark mistakes if comparison result does not conform to, authentification failure loses the qualification of the login of being open to the custom.
Fig. 4 utilizes the built-in identity of an IC-card to check private mark ICCID for the present invention and private mark GLN is checked in a world, and this IC-card is installed on general compatible computer USB interface or PS2 slot also or have wireless telecommunications, on the hardware of infrared transmission or the like, enforcement illustration as authentication hardware, can know by the little figure of embodiment A among the figure and to find out, IC-card of the present invention also can be installed on the keyboardization (Key Board), and carry out the purposes of hardware keyholed back plate rights of using, and the embedded program of IC-card can show the blocked picture of a keyboard (Key Board) on computer desktop, when the user uses by identical computer, after entering operating system, just can't touch control keyboard, have only when the user puts touching dish (Key Board) and lock picture, just can jump out one separates lock message and imports unlocking pin for the user, if the user does not have rights of using, then can't use computer; And the little figure of Embodiment B, for IC-card of the present invention is installed on the slide-mouse, same, also can carry out the purposes of slide-mouse hardware keyholed back plate rights of using, moreover as the little figure of Embodiment C, IC-card of the present invention is installed on the recreation rocking bar, the little figure of embodiment D, IC-card of the present invention is installed on the WebCam (network camera), all can carry out the application of the purposes of peripheral hardware keyholed back plate rights of using by the embodiment of the invention, can accomplish that more security protection mechanism extends to limit comprehensively.
Again as shown in Figure 5, for the IC-card of the present invention collocation is installed on the integration application implementation illustration of PCMCIA interfare device,, more can allow application of the present invention have more affinity and extensive implementation by this embodiment.
More as shown in Figure 6, apparatus of the present invention are in the integration application implementation illustration of flash memory, the present invention's IC-card of arranging in pairs or groups is installed on the flash memory, the data that can not make can only be deposited in the fixing hard disk, make it to have more confidentiality, security and the maneuverability of data access, bring demand and convenience more easily.
For another Fig. 7 then is that the IC-card that the present invention arranges in pairs or groups is installed on the synoptic diagram that flash memory is inserted in computer host housing, will utilize the authentication hardware of collocation USB interface of the present invention to insert in the USB slot of computer host housing, just can carry out aforementioned institute in steps.
In sum, mail server provided by the present invention (Mail Server) is logined security certification system and method, can replace existing mail server (Mail Server) and login pattern, it is to have utilized the built-in identity of an IC-card to check private mark ICCID and private mark GLN is checked in a world, and this IC-card is installed on generally is compatible to computer USB interface or PS2 slot also or have wireless telecommunications, on the hardware of infrared transmission, as authentication hardware, when the user utilizes this authentication hardware to do the login action, via the intersection comparison system of several encryption and decryption and destination and authentication end servomechanism.Can effectively confirm user's legitimacy; Moreover, another surcharge of utilizing the authentication hardware of collocation IC-card of the present invention is the private key as the individual, superior functionality with permanent protective property and high security, the tool application extensively reaches the high security characteristics, and is unprecedented design, has met the application important document of patent of invention really, earnestly asking authorities examines in detail, and bestow and grant a patent, to benefit the nation and the people with Jiahui people's livelihood, the true feeling moral is just.
Yet, more than the technology, the figure that are narrated say, method such as program or control, only be one of preferred embodiment of the present invention; Such as the equalization of doing according to the technology of the present patent application claim changes or modifies or the identical making of acquisition partial function, the scope that all should still belong to patent right of the present invention and contained; When not limiting scope of the invention process according to this.
Claims (10)
1, a kind of mail server is logined safety certifying method, it is characterized in that: will be built-in with an identity and check the IC-card of a private mark ICCID and an international check code GLN and insert in the IC-card reading device, and be installed on the hardware that generally is compatible to computer as authentication hardware, the method includes the steps of:
Step a: the authentication hardware of user's use device one IC-card and an IC-card reading device is logined mail server, the information of the required login of input user, and by login button;
Step b: utilize the embedded program of IC-card that its login process is directed at CA authentication servomechanism, and the ICCID private mark that IC-card is built-in reaches CA authentication servomechanism, judge the whether legal and audit authority of IC-card of authentication hardware by the special program of CA authentication servomechanism, correctly then on CA authentication servomechanism data bank, write down it and login number of times, produce relying on of an authentication hardware identification success, and the random at random numerical value that is produced in the passback decode procedure is to IC-card;
Step c: after abovementioned steps is correct, the random at random numerical value that IC-card utilizes the embedded program of IC-card to obtain is used for the ICCID private mark of decoding built-in, and produce relying on of IC-card authentication, and its login process is directed at mail server, and relying on ICCID private mark, IC-card authentication, the user imports information and reaches mail server in the lump, and allow mail server comply with its data bank and judge whether the information of user's input is correct, and the inquiry term of life;
Steps d: after abovementioned steps was correct, mail server reached CA authentication servomechanism for deciphering the correctness of confirming authentication hardware and user's information once more with ICCID private mark and the relying on of being accepted of IC-card authentication.
2, a kind of mail server is logined the IC-card authentication hardware of safety certification, it is characterized in that: this IC-card is built-in with an identity and checks a private mark ICCID and an international check code GLN, this IC-card is inserted in the IC-card reading device, and is installed on the hardware that generally is compatible to computer, as authentication hardware; The authentication hardware of this device IC-card can be the hardware of a USB interface.
3, mail server as claimed in claim 2 is logined the IC-card authentication hardware of safety certification, it is characterized in that: the authentication hardware of this device IC-card can be the hardware of a PS2 slot.
4, mail server as claimed in claim 2 is logined the IC-card authentication hardware of safety certification, it is characterized in that: the authentication hardware of this device IC-card can be the hardware with wireless telecommunications.
5, mail server as claimed in claim 2 is logined the IC-card authentication hardware of safety certification, it is characterized in that: the authentication hardware of this device IC-card can be the hardware of an IEEE1394 interface.
6, mail server as claimed in claim 2 is logined the IC-card authentication hardware of safety certification, it is characterized in that: the authentication hardware of this device IC-card can be the hardware of an IR infrared ray interface.
7, mail server as claimed in claim 2 is logined the IC-card authentication hardware of safety certification, and it is characterized in that: the authentication hardware of this device IC-card can be a flash memory.
8, mail server as claimed in claim 2 is logined the IC-card authentication hardware of safety certification, and it is characterized in that: the authentication hardware of this device IC-card can be a PCMCIA interfare device.
9, mail server as claimed in claim 2 is logined the IC-card authentication hardware of safety certification, it is characterized in that: the authentication hardware of this device IC-card can be a keyboard or a slide-mouse or a recreation rocking bar.
10, mail server as claimed in claim 2 is logined the IC-card authentication hardware of safety certification, and it is characterized in that: the authentication hardware of this device IC-card can be a Web Cam network camera.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200310103378 CN1612149A (en) | 2003-10-29 | 2003-10-29 | Mail servo accessing safety authentication method and IC card authentication hardware |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200310103378 CN1612149A (en) | 2003-10-29 | 2003-10-29 | Mail servo accessing safety authentication method and IC card authentication hardware |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1612149A true CN1612149A (en) | 2005-05-04 |
Family
ID=34756644
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200310103378 Pending CN1612149A (en) | 2003-10-29 | 2003-10-29 | Mail servo accessing safety authentication method and IC card authentication hardware |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1612149A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008148245A1 (en) * | 2007-06-06 | 2008-12-11 | Hui Lin | Digital content protection method and system based on user identification |
| CN102339483A (en) * | 2010-07-14 | 2012-02-01 | 新谊整合科技股份有限公司 | Security system and method by integrating access control and information equipment |
| CN103560941A (en) * | 2013-09-29 | 2014-02-05 | 西安祥泰软件设备***有限责任公司 | Portable mail server and operation method thereof |
-
2003
- 2003-10-29 CN CN 200310103378 patent/CN1612149A/en active Pending
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008148245A1 (en) * | 2007-06-06 | 2008-12-11 | Hui Lin | Digital content protection method and system based on user identification |
| CN102339483A (en) * | 2010-07-14 | 2012-02-01 | 新谊整合科技股份有限公司 | Security system and method by integrating access control and information equipment |
| CN103560941A (en) * | 2013-09-29 | 2014-02-05 | 西安祥泰软件设备***有限责任公司 | Portable mail server and operation method thereof |
| CN103560941B (en) * | 2013-09-29 | 2017-06-06 | 西安祥泰软件设备***有限责任公司 | Portable mail server and its operation method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102217277B (en) | Method and system for token-based authentication | |
| CN101192926B (en) | Account protection method and system | |
| US20080148057A1 (en) | Security token | |
| US6981156B1 (en) | Method, server system and device for making safe a communication network | |
| CN104662870A (en) | Data security management system | |
| WO2019234409A1 (en) | Dongle for ciphering data | |
| CN101297534A (en) | Method and apparatus for secure network authentication | |
| CN101420302A (en) | Safe identification method and device | |
| CN110650021A (en) | Authentication terminal network real-name authentication method and system | |
| CN101552671A (en) | Network identity authentication method based on U-disk and dynamic differential password and system thereof | |
| US20050066199A1 (en) | Identification process of application of data storage and identification hardware with IC card | |
| US20150121504A1 (en) | Identification process of application of data storage and identification hardware with ic card | |
| US20100058453A1 (en) | Identification process of application of data storage and identification hardware with ic card | |
| CN1612149A (en) | Mail servo accessing safety authentication method and IC card authentication hardware | |
| CN1612148A (en) | Data storage and application authentication method and IC card authentication hardware | |
| TWI328956B (en) | ||
| CN100469012C (en) | An authentication method for information storaging application and IC card authentication hardware | |
| CN100477594C (en) | Method of internet clearance security certification | |
| CN1271525C (en) | Computer system landing method | |
| CN1612117A (en) | Internet link secure authentication method and IC card authentication hardware | |
| CN1860729A (en) | Method of mail server landing security certification and IC card certification hardware | |
| MORAKINYO | A secure bank login system using a multi-factor authentication | |
| Nagar et al. | A secure authenticate framework for cloud computing environment | |
| Khorajiya et al. | A Security based Architecture using Kerberos and PGP | |
| WO2006039832A1 (en) | Authentication method for storage and application of data, ic card, fingerprint scanner |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |